You are here

You are here

3 best practices for better supply chain security

public://pictures/jhunt.jpeg
Johnathan Hunt VP of Security, GitLab
 

The SolarWinds breach brought national attention to an issue that had already been on a lot of security professionals’ minds: supply chain security. Supply chain security represents a huge threat to enterprises. One report found that supply chain attacks targeting open-source software projects present an enormous problem, since 90% of all applications contain open source code.

However, companies can better protect themselves by practicing good cyber hygiene, strengthening risk management strategies with third-party vendors, and implementing DevSecOps.

Supply chain security may initially appear to be a broad industry problem without tangible preventative measures, but that’s not the case. Strong DevOps cyber hygiene creates effective barriers against supply chain attacks as well as proactive approaches to shore up your defenses.

The following three approaches are great places for DevOps teams of all sizes to start.

1. Maintain visibility at all times

DevOps teams should maintain dependency visibility to ensure everybody developing software understands its dependencies, especially any dependent elements not within a given team’s immediate control. Before moving forward with software reliant on dependencies, teams should understand its portability, the frequency it receives updates, and its compatibility with other platforms. But most importantly, teams need an understanding of a dependency’s specific security posture, otherwise they risk releasing software with exploitable vulnerabilities.

2. Assign a build monitor

A key method of guarding against supply chain attacks is securing build processes. To start, teams should assign a build monitor. This way, as teams undergo the build, one member will be monitoring the build process with a keen eye for any anomalies, unauthorized code changes, and other signs of potential suspicious activity. Other ways to ensure a secure build as the process progresses include:

  • Leveraging CI/CD pipelines to integrate automatic SAST and DAST tests into the development process
  • Having developers complete vulnerability and dependency scanning
  • Implementing new AI/ML tools to support scanning, monitoring, and reviews

3. Don't be hush-hush about secrets management

Teams working with usernames and passwords, API tokens, SSH keys, encryption keys, and other sensitive authentication information within applications should invest in secrets management solutions.

With cloud-native development models on the rise in the industry, it can be difficult to account for secrets spread across multiple infrastructures, and this may leave DevOps teams vulnerable to security blind spots.

Plus, previous breaches, such as the 2016 Uber breach that started when hackers penetrated vulnerabilities in its source code repository via GitHub, revealed the high cost of the consumer trust at stake when authentication information is left at risk.

Third-party code is here to stay

After the sobering impression SolarWinds left on the industry, and given the often-overwhelming amount of vendor risk assessment requests companies may receive, the quick solution to the supply chain question might appear to be to remove vendors from the equation entirely. That would be a huge mistake. Third-party vendors drive business growth and extend product reach—essential parts of expanding any business whether it’s a startup or a major enterprise.

So instead of cutting third-party vendors out of the equation, companies should consider more comprehensive risk management processes with them. To begin implementing risk management processes, companies should assess the risks their vendors present based on the software dependency the vendor provides. This way, risk management program tiers are predicated by necessity to the software’s security.

A tiered approach not only sifts through risk assessments requests for overwhelmed security teams, but also establishes priority for any vendors that need more attention beyond standard risk assessments. Once a vendor tier is established, companies can negotiate more extensive security practices with critical vendors.

For example, companies could implement pen tests and security score cards for high-risk tier vendors instead of issuing the usual questionnaires. While the initial creation of the tier system may be slow, a more in-depth risk assessment process will bolster supply chain security and streamline risk management for security teams.

Enterprises should also begin to ingest more data from their vendors as a means to increase inter-operational transparency and accountability. Data transparency between companies and their vendors is similar in principle to dependency visibility.

If vendors store sensitive information collected by the software they serve, the company responsible for the software may have no oversight of said data’s security, or worse, may not even know the data exists. Vendors and enterprises working together should be more transparent with their information to ensure that sensitive data, such as secrets or personal identifiable information, is not stored somewhere unprotected and unaccounted for.

Put the 'sec' in 'DevSecOps'

As companies continue to move to the cloud, it’s becoming increasingly apparent they should be integrating DevSecOps into their cloud infrastructure, especially in the wake of some recent, newsworthy breaches. One of the biggest barriers to effective supply chain security is go-to-market speed. Business growth requires fast releases, and scanning and code tests can slow down development.

While initial implementation of DevSecOps programs may create challenges for security teams prioritizing security and IT teams focused on moving the release out, industry research suggests DevSecOps integration and fast releases are a growing reality. GitLab’s annual industry survey, the 2021 DevSecOps Report, found that even though 84% of developers said they’re releasing code faster than ever before, 70% of security professionals report their teams have moved security considerations earlier into the development lifecycle.

This is not only a good indicator of industry security improvement, but good news for teams prioritizing supply chain security. By prioritizing security during development, your teams can catch and address the vulnerabilities exploited in supply chain attacks so you won't end up responsible for the next breaking-news breach.

Get proactive

Supply chain security has long been treated with reactive measures. While the scope of the SolarWinds hack may make supply chain security appear like a Herculean task for any security team, an intuitive risk-based approach makes it manageable.

Adopting proactive security measures, such as doing secure builds, practicing more comprehensive vendor risk management, and implementing DevSecOps will lead to a more effective and secure enterprise supply chain.

Keep learning

Read more articles about: SecurityApplication Security